167 million LinkedIn accounts for sale on dark market, linked to 2012 breach

A collection of 167 million LinkedIn accounts is up for sale on a dark market website. The asking price? A mere five Bitcoins, or roughly $2,200.

The data dump was recently posted on TheRealDeal and reportedly contains user IDs, e-mail addresses and SHA1 password hashes for 167,370,940 users. Renowned security researcher Troy Hunt, who manages a site that lets people know if their data has been stolen, told Computerworld he has seen a subset of the data and verified that it’s legitimate.

While 167 million is a number that’s certainly enough to make LinkedIn’s day pretty crummy, it doesn’t represent the site’s entire database. On its website, LinkedIn says it has more than 433 million registered users.

LinkedIn was the victim of a security breach in 2012 in which 6.5 million accounts were stolen and posted online. Administrators from data leak indexing website LeakedSource, who also claims to have a copy of the fresh data set, believe the accounts in question originate from the 2012 breach.

Of the 167 million accounts currently up for sale, LeakedSource says only 117 million have passwords attached to them which suggests the remaining users may have registered for LinkedIn through Facebook or some other outside service.

If this data is indeed four years old, the 2012 breach was far more widespread than initially thought. It’s unclear why the hacker(s) would have sat on such a large subset of data for so long before putting it up for sale.

Existing LinkedIn users are encouraged to change their passwords immediately. It’s also advisable to enable the site’s two-factor authentication and change passwords on other sites in which users might have recycled old passwords on.